classification
Title: Insecure Windows python directory permissions
Type: security Stage:
Components: Installation, Windows Versions: Python 3.1, Python 2.7
process
Status: closed Resolution: duplicate
Dependencies: Superseder: Win32: Security problem with default installation directory
View: 1284316
Assigned To: Nosy List: Gynvael.Coldwind, eric.smith, loewis
Priority: normal Keywords:

Created on 2010-11-21 16:00 by Gynvael.Coldwind, last changed 2010-11-21 19:17 by loewis. This issue is now closed.

Files
File name Uploaded Description Edit
Python_dir_list.txt Gynvael.Coldwind, 2010-11-21 16:00 List of insecure directories
Messages (2)
msg121947 - (view) Author: Gynvael Coldwind (Gynvael.Coldwind) Date: 2010-11-21 16:00
Hi,

Installers I've tested:
Python 3.1.2 (signed Sunday, March 21, 2010 12:49:44 AM)
Python 2.7 (signed Sunday, July 04, 2010 7:23:45 AM)

It seems that Python's Windows installer doesn't correctly set permissions of Python's directories, allowing any user on the system to create a file inside these directories.

Using DLL Spoofing method (aka DLL Hijaking or Binary Planting) an unprivileged user can create an arbitrary DLL file (e.g. named python31.dll imported by python.exe) inside that directory, which will get loaded and it's code will get executed when some other user launches any python or the interpreter itself (i.e. this may lead to elevation of privileges).
This has been tested and proved to work.

Easiest way to check:
1. Install Python on Windows (with NTFS partition)
2. Create a user without any administrative permissions
3. Run a command shell in the context of that user
4. Type: echo.>c:\python31\python31.dll (the name of the directory and DLL file may be different)
5. Run c:\python31\python.exe or any python script from any user
You should get the following message:

---------------------------
python.exe - Bad Image
---------------------------
c:\python31\python31.dll is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or the software vendor for support. 
---------------------------

This proves that the created DLL file was (tried to be) loaded into the context of the process. 


Main directories ACLs:
C:\Users\test>cacls c:\python31
c:\Python31 NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
            BUILTIN\Administrators:(OI)(CI)(ID)F
            BUILTIN\Users:(OI)(CI)(ID)R
            BUILTIN\Users:(CI)(ID)(special access:)
                                  FILE_APPEND_DATA

            BUILTIN\Users:(CI)(ID)(special access:)
                                  FILE_WRITE_DATA

            CREATOR OWNER:(OI)(CI)(IO)(ID)F


C:\Users\test>cacls c:\python27
c:\Python27 NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
            BUILTIN\Administrators:(OI)(CI)(ID)F
            BUILTIN\Users:(OI)(CI)(ID)R
            BUILTIN\Users:(CI)(ID)(special access:)
                                  FILE_APPEND_DATA

            BUILTIN\Users:(CI)(ID)(special access:)
                                  FILE_WRITE_DATA

            CREATOR OWNER:(OI)(CI)(IO)(ID)F

These directories SHOULD NOT allow Users to FILE_APPEND_DATA or FILE_WRITE_DATA.

Suggested fix:
The installer should make sure the FILE_APPEND_DATA and FILE_WRITE_DATA rights are not present in any directories ACLs.

Attached: List of directories found to be insecure (i.e. everyone can create a file there).
msg121965 - (view) Author: Martin v. Löwis (loewis) * (Python committer) Date: 2010-11-21 19:17
This is a duplicate of issue1284316
History
Date User Action Args
2010-11-21 19:17:17loewissetstatus: open -> closed
resolution: duplicate
superseder: Win32: Security problem with default installation directory
messages: + msg121965
2010-11-21 18:41:05eric.smithsetnosy: + eric.smith
2010-11-21 16:49:35pitrousetnosy: + loewis
2010-11-21 16:00:53Gynvael.Coldwindcreate